Olimpo Informatico

[eaglesCZ]

ragazzi spero mi rispondiate presto..
cmq eccovi il mio log di Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 14.31.58, on 20/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\iPod\bin\iPodService.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\Programmi\Softwin\BitDefender9\vsserv.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uscatanzaro.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Programmi\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iso one] C:\DOCUME~1\TROMBE~1\DATIAP~1\DEFAUL~1\TheGrid.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47E0C108-DCD4-4568-9297-56E85D3D4C5A}: NameServer = 193.12.150.2 212.247.152.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Programmi\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

grazie..

[eaglesCZ]

potreste rispondermi??? please!!!

[holifay]

Ciao EaglesCZ e benvenuto


Il tuo log mi sembra a posto. Hai qualche problema con il PC?

[eaglesCZ]

ciao holifay!!
no no..semplice controllo..non si sa mai!!

[eaglesCZ]

ah scusa se t rompo di nuovo le scatole..
ma ho fatto una scansione online con kaspersky e mi ha trovato alcuni file infetto..
ecco il report:

C:\Documents and Settings\Trombetta\Dati applicazioni\default wipe settings\TheGrid.exe Infected: Trojan-Downloader.Win32.Swizzor.fi skipped

C:\Documents and Settings\Trombetta\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-1fc8f151-5d55bd24.class Infected: Trojan-Downloader.Java.OpenStream.y skipped

C:\Documents and Settings\Trombetta\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-2ccae614-11db65e4.class Infected: Trojan-Downloader.Java.OpenStream.y skipped

C:\Documents and Settings\Trombetta\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-5ffed0b9-6f915149.class Infected: Trojan-Downloader.Java.OpenStream.y skipped

C:\Documents and Settings\Trombetta\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-6eda0a73-2c7e4b19.class Infected: Trojan-Downloader.Java.OpenStream.y skipped

C:\System Volume Information\_restore{B50C08E0-14F0-413D-8ED1-92D2F4B793EE}\RP130\A0032725.EXE/WISE0003.BIN Infected: Virus.Win9x.CIH.dam skipped

C:\System Volume Information\_restore{B50C08E0-14F0-413D-8ED1-92D2F4B793EE}\RP130\A0032725.EXE WiseSFX: infected - 1 skipped

C:\System Volume Information\_restore{B50C08E0-14F0-413D-8ED1-92D2F4B793EE}\RP138\A0034064.exe Infected: Email-Flooder.Win32.EmailBomb.20 skipped

C:\System Volume Information\_restore{B50C08E0-14F0-413D-8ED1-92D2F4B793EE}\RP148\A0044085.exe/data0002 Infected: IM-Flooder.Win32.Lipun.a skipped

C:\System Volume Information\_restore{B50C08E0-14F0-413D-8ED1-92D2F4B793EE}\RP148\A0044085.exe Inno: infected - 1 skipped

C:\System Volume Information\_restore{B50C08E0-14F0-413D-8ED1-92D2F4B793EE}\RP148\A0044085.exe CryptFF: infected - 1 skipped

C:\System Volume Information\_restore{B50C08E0-14F0-413D-8ED1-92D2F4B793EE}\RP98\A0026244.exe Infected: Trojan-Downloader.Win32.Agent.xz skipped

C:\System Volume Information\_restore{B50C08E0-14F0-413D-8ED1-92D2F4B793EE}\RP98\A0026256.exe Infected: Trojan-Downloader.Win32.Agent.xz skipped

C:\System Volume Information\_restore{B50C08E0-14F0-413D-8ED1-92D2F4B793EE}\RP99\A0026275.exe Infected: Trojan-Downloader.Win32.Agent.xz skipped

C:\System Volume Information\_restore{B50C08E0-14F0-413D-8ED1-92D2F4B793EE}\RP99\A0026296.exe Infected: Trojan-Downloader.Win32.Agent.xz skipped

C:\System Volume Information\_restore{B50C08E0-14F0-413D-8ED1-92D2F4B793EE}\RP99\A0026308.exe Infected: Trojan-Downloader.Win32.Agent.xz skipped

C:\System Volume Information\_restore{B50C08E0-14F0-413D-8ED1-92D2F4B793EE}\RP99\A0026342.exe Infected: Trojan-Downloader.Win32.Agent.xz skipped


help me!!

[holifay]

TheGrid.exe lo avevo visto nel log, ma non mi sembra un malware. Non sai cosa è? Prova a verificarlo su www.virustotal.com e poi copia/incolla il risultato qui.

Per il resto:

java hai probabilmente una versione vecchia. Svuota la cartella C:>Documents and Settings>Trombetta>Dati applicazioni>Sun>Java>Deployment>cache. Poi disinstalla tutte le verisoni di java dal pannello di controllo e alla fine installa l´ultima da qui http://www.java.com/it/download/index.jsp
Prendi l´abitudine di cancellare i file temporanei di java, cliccando sulla sua icona Java nel pannello di controllo e premendo il pulsante elimina file temporanei

C:>System Volume Information E´la cartella del ripristino di sistema di Windows. Per eliminare quei virus devi temporaneamente disabilitare il ripristino di configurazione: clicca con il tasto destro sull´icona del Desktop risorse del computer, dal menù a tendina scegli proprietà. Metti il flag alla voce Disabilita ripristino configurazione di sistema e premi OK. Riavvia e poi ripristinalo come prima.

Per cancellare un po´ di schifezze nelle varie cartelle temporanee ti consiglio di scaricare alla fine CCleaner.

Ciao

[eaglesCZ]

innanzitutto ecco ciò che il sito ha riportato su "TheGrid":

Antivirus Version Update Result
AntiVir 6.35.0.13 06.19.2006 HEUR/Crypted
Authentium 4.93.8 06.16.2006 no virus found
Avast 4.7.844.0 06.19.2006 Win32:Swizzor-gen
AVG 386 06.19.2006 no virus found
BitDefender 7.2 06.19.2006 no virus found
CAT-QuickHeal 8.00 06.19.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.19.2006 no virus found
DrWeb 4.33 06.19.2006 no virus found
eTrust-InoculateIT 23.72.42 06.18.2006 no virus found
eTrust-Vet 12.6.2263 06.19.2006 Win32/Swizzor
Ewido 3.5 06.19.2006 no virus found
Fortinet 2.77.0.0 06.19.2006 suspicious
F-Prot 3.16f 06.17.2006 no virus found
Ikarus 0.2.65.0 06.19.2006 no virus found
Kaspersky 4.0.2.24 06.19.2006 Trojan-Downloader.Win32.Swizzor.fi
McAfee 4787 06.19.2006 no virus found
Microsoft 1.1441 06.19.2006 no virus found
NOD32v2 1.1607 06.19.2006 a variant of Win32/TrojanDownloader.Swizzor
Norman 5.90.21 06.19.2006 no virus found
Panda 9.0.0.4 06.18.2006 Adware/Lop
Sophos 4.06.0 06.19.2006 no virus found
Symantec 8.0 06.19.2006 no virus found
TheHacker 5.9.8.162 06.19.2006 no virus found
UNA 1.83 06.19.2006 no virus found
VBA32 3.11.0 06.19.2006 no virus found
VirusBuster 4.3.7:9 06.19.2006 no virus found

ora provvederò a fare quello che hai detto..

[holifay]

Ah, ti sei preso un trojan fresco di fabbrica!

Kaspersky lo rileva dal 2 giugno. Me lo manderesti zippato a www.suspectfile.com cosi gli diamo una occhiata?

Avvia HijackThis, premi Do a system scan only. Chiudi tutte le finestre e le applicazioni escluso HijackTHis. Poi metti un segno di spunta accanto a questa voce e premi Fix Checked

[eaglesCZ]

scusa se t rispondo solo ora..ma ora che siamo in estate torno a casa solo 2 giorni alla settimana..
cmq THE GRID nn viene eliminato anche solamente facendo fix cecked da hijack?? o dopo devo per forza eliminarlo in modalità provvisoria?

[holifay]

Solo alcuni file vengono cancellati da HijackThis, ad esempio quelli delle voci O2. Per la maggior parte occorre eliminarli manualmente